U.S. Application No.: 10/762,660 Attorney Docket No.: GRD03-03 

-2- 

IN THE CLAIMS 

1 . (Currently Amended) A method for behavior based access tracking 
of an application comprising: 

intercepting an access attempt to a protected resource; 

comparing the access attempt to a preexisting set of allowable access 
attempts to determine if the access attempt corresponds to a previous allowable 
access , comparing the access attempt further comprising: 

determining a structure of the access attempt corresponding to a 

syntactical arrangement of the access attempt: and 

comparing the determined structure of the access attempt 

independently of the data values implicated in the access attempt : 

selectively permitting, based on the comparing, access to the protected 
resource according to the access attempt; and 

augmenting the set of allowable access attempts by selectively adding, 
based on inferential feedback, the access attempt to the set of allowable access 
attempts. 

2. (Original) The method of claim 1 wherein comparing the access 
attempt determines correspondence by a matching of explicit rules qualifying 
allowable data access attempts and by a matching of a baseline having 
previously allowed data access attempts 

3. (Original) The method of claim 1 wherein adding further comprises 
selectively adding, if the data access transaction corresponds to a window of 
allowable database activity, the data access attempt to the set of allowable data 
access attempts. 



4. (Canceled) 
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5. (Currently Amended) The method of claim 1_[[4]] wherein comparing 
the determined structure further comprises comparing a hash value derived from 
the determined structure. 

6. (Canceled) 

7. (Original) The method of claim 1 further comprising defining an 
access policy having a plurality of access rules, the access rules indicative of 
allowable access, wherein the preexisting set of allowable access attempts 
correspond to one of the plurality of the rules. 

8. (Original) The method of claim 1 wherein determining the 
preexisting set comprises establishing a baseline of allowable activity, the 
baseline indicative of an accepted set of allowable access attempts. 

9. (Original) The method of claim 8 wherein the baseline is a rule in 
the access policy and indicates allowable access when a data access transaction 
matches a previous data access transaction represented in the baseline. 

1 0. (Currently Amended) The method of claim 8 wherein the baseline 
includes the structure the-of the access attempts, and avoids including data 
values of the data access transactions from which it is derived 

1 1 . (Original) The method of claim 1 wherein selectively permitting 
further comprises computing, based on iteratively applying the access rules to 
the access attempt, an access result indicative of whether to allow the access 
attempt. 

12. (Original) The method of claim 1 further comprising: 
identifying a plurality of allowable access attempts; 
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inferring, based on observable patterns in the allowable access 
attempts, access rules indicative of the plurality of allowable access attempts; 
and 

adding the inferred rules to the access policy. 

1 3. (Original) The method of claim 1 2 wherein inferring further 
comprises: 

processing the series of allowable access attempts to determine related 
groups of allowable access transactions; 

suggesting, based on a commonality of the processed group of 
allowable access attempts, an access rule indicative of each of the series of 
allowable access attempts; and 

adding, in response to operator input, the suggested access rule to 
the access policy. 

14. (Original) The method of claim 1 wherein the preexisting set of 
allowable access attempts comprise a current baseline representative of a 
window of access attempts, further comprising modifying the current baseline by 
including access attempts from a different window of access attempts. 

1 5. (Original) The method of claim 1 1 wherein adding further 
comprises: 

identifying a sampling window of access attempts, the sampling 
window deterministic of allowable access patterns to the protected resource; 

storing an indication of the access attempts made during the 
window of access attempts; and 

merging the window of access attempts with the current baseline 
set of access attempts, the current baseline deemed deterministic of allowable 
access behavior. 
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16. (Original) The method of claim 1 wherein storing further comprises: 
verifying that the access attempt is indicative of allowable access 

behavior; and 

selectively adding, based on the verifying, the access attempts to the 
baseline of allowable access attempts. 

17. (Original) The method of claim 1 6 wherein determining the 
preexisting set includes comparing a sensitivity threshold indicative of a series of 
corresponding access attempts defining a benign pattern. 

18. (Original) The method of claim 1 7 wherein the corresponding 
access attempts define a similar pattern of access structures, the access 
structures determined by tables and fields affected by the access attempt. 

1 9. (Currently Amended) The method of claim 1[[7]] wherein the parse 
tree further conforms to a platform independent format, wherein parse trees and 
corresponding hash values generated from different platforms are similar and are 
operative to result in a consistent comparison result for similar data access 
attempts on a plurality of platforms. 

20. (Original) The method of claim 1 further comprising: 

storing a set of data access attempts according to a learning window of 

observable database behavior; 

generating suggested rules; 

adding suggested rules to the security policy; and 

reanalyzing the set of data access attempts gathered during the 

leaning window in an iterative manner against suggested rules. 

21 . (Currently Amended) A security filter device for behavior based 
access tracking of a software application comprising: 
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a database access analyzer operable to intercept an access attempt to a 
protected resource; 

a baseline comparator operable to compare the access attempt to a 
preexisting set of allowable access attempts to determine if the access attempt 
corresponds to a previous allowable access attempt , the comparator for 
comparing the access attempts by: 

determining a structure of the access attempt corresponding to 
syntactical arrangement of the access attempt: and 

comparing the determined structure of the access attempt 
independently of the data values implicated in the access attempt, 
determining the structure further comprising: 
parsing the access attempt: and 

building a parse tree from the parsing, the parse tree indicative of a 
syntactical structure of the data access attempt, wherein comparing 
further comprises computing a hash value from the parse tree, and 

comparing the hash value to the hash values of previous access 
attempts : 

an enforcer operable to selectively permit, based on the comparing, 
access to the protected resource according to the access attempt; and 

an inference engine operable to add, if the access attempt is permitted, 
the access attempt to the set of allowable access attempts. 

22. (Original) The security filter device of claim 21 wherein the baseline 
comparator is further operable to comparing the access attempt and determine 
correspondence by matching explicit rules qualifying allowable data access 
attempts and matching of a baseline having previously allowed data access 
attempts. 

23. (Original) The security filter device of claim 21 further comprising: 
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a parser in the database access analyzer operable to determine a 
structure of the access attempt corresponding to syntactical arrangement of the 
access attempt, wherein the baseline comparator is operable to compare the 
determined structure of the access attempt independently of the data values 
implicated in the data access attempt. 

24. (Original) The security filter device of claim 23 wherein the 
database access analyzer further includes a hash engine operable to compute a 
hash value derived from the determined structure. 

25. (Original) The security filter device of claim 23 wherein the parser is 
further operable to: 

parse the access attempt; and 

build a parse tree from the parsing, the parse tree indicative of a 
syntactical structure of the data access attempt, wherein the baseline comparator 
is operable to compare the computed hash value from the parse tree to the hash 
values computed from previous access attempts. 

26. (Original) The security filter device of claim 21 further comprising an 
access policy having a plurality of access rules, the access rules indicative of 
allowable access, wherein the preexisting set of allowable access attempts 
correspond to one of the plurality of the rules. 

27. (Original) The security filter device of claim 21 wherein the 
preexisting set further comprises a baseline of allowable activity, the baseline 
indicative of an accepted set of allowable access attempts. 

28. (Original) The security filter device of claim 27 wherein the parser is 
operable to generate a parse tree corresponding to the structure of the access 
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attempts, the parse tree not including data values of the data access transactions 
from which it is derived. 

29. (Original) The security filter device of claim 21 wherein the 
inference engine is operable to: 

identify a plurality of allowable access attempts; and 

infer, based on observable patterns in the allowable access 

attempts, access rules indicative of the plurality of allowable access attempts; 

and 

add the inferred rules to the access policy. 

30. (Original) The security filter device of claim 29 wherein the 
inference engine further comprises: 

a learner operable to process the series of allowable access attempts to 
determine related groups of allowable access transactions, the learner further 
operable to suggest, based on a commonality of the processed group of 
allowable access attempts, an access rule indicative of each of the series of 
allowable access attempts; and 

a rule suggestor operable to add, in response to operator input, the 
suggested access rule to the access policy. 

31 . (Original) The security filter device of claim 21 wherein the 
preexisting set of allowable access attempts comprise a current baseline set 
representative of a window of access attempts, wherein the inference engine is 
operable to modify the current baseline by including access attempts from a 
different window of access attempts. 

32. (Original) The security filter device of claim 31 wherein the 
inference engine is further operable to: 
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identify a sampling window of access attempts, the sampling 
window deterministic of allowable access patterns to the protected resource; 

store an indication of the access attempts made during the window 
of access attempts; and 

merge the window of access attempts with the current baseline set 
of access attempts, the current baseline deemed deterministic of allowable 
access behavior. 

33. (Original) The security filter device of claim 21 wherein the 
inference engine is further operable to: 

retain the data access attempts during a learning window of observable 

database behavior; 

generate suggested rules based on the learning window; 
conditionally add suggested rules to the security policy; and 
reanalyze the set of data access attempts gathered during the 

leaning window in an iterative manner against suggested rules. 

34. (Original) The security filter device of claim 21 wherein the rule 
logic in the inference engine is further operable to: 

verify that the access attempt is indicative of allowable access behavior; 

and 

selectively add, based on the verification, the access attempts to the 
baseline of allowable access attempts. 

35. (Original) The security filter device of claim 34 wherein determining 
the preexisting set includes comparing a sensitivity threshold indicative of a 
series of corresponding access attempts defining a benign pattern. 

36. (Original) The security filter device of claim 35 wherein the 
corresponding access attempts define a similar pattern of access structures, the 
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access structures determined by tables and fields affected by the access 
attempt. 

37. (Original) The security filter device of claim 21 further including an 
interface operable with an external application, the interface operable to transmit 
allowable data access attempts to the external application. 

38. (Original) The security filter device of claim 21 wherein the 
database analyzer further includes an interface operable with an external 
application, the database analyzer operable for receiving data access attempts 
from the external application via the interface, process the received data access 
attempts, and forwarding the processed data access attempts to the security filter 
and the repository for processing via the inference engine. 

39. (Currently Amended) A computer program product having a 
computer readable storage medium operable to store computer program logic 
embodied in computer program code encoded thereon that, when executed by a 
computer, cause the computer to perform steps for behavior based access 
tracking of a software application comprising: 

comput e r program cod e for intercepting an access attempt to a protected 
resource; 

computer program codo for comparing the access attempt to a preexisting 
set of allowable access attempts to determine if the access attempt corresponds 
to a previous allowable access attempt , comparing the access attempt further 
comprising: 

determining a structure of the access attempt corresponding to 
syntactical arrangement of the access attempt: and 

comparing the determined structure of the access attempt 
independently of the data values implicated in the access attempt, 
determining the structure further comprising: 
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parsing the access attempt: and 

building a parse tree from the parsing, the parse tree indicative of a 
syntactical structure of the data access attempt, wherein comparing 
further comprises computing a hash value from the parse tree, and 

comparing the hash value to the hash values of previous access 
attempts : 



comparing, access to the protected resource according to the access attempt; 
and 

comput e r program cod e for adding, if the access attempt is permitted, the 
access attempt to the set of allowable access attempts. 

40. (Canceled) 

41 . (Currently Amended) A security filter device for behavior based access 
tracking of a software application comprising: 

means for intercepting an access attempt to a protected resource; 

means for comparing the access attempt to a preexisting set of allowable 
access attempts to determine if the access attempt corresponds to a previous 
allowable access attempt , means for comparing the access attempt further 
comprising: 

means for determining a structure of the access attempt 
corresponding to syntactical arrangement of the access attempt; and 

means for comparing the determined structure of the access 
attempt independently of the data values implicated in the access attempt, 
determining the structure further comprising: 

means for parsing the access attempt; and 

means for building a parse tree from the parsing, the parse tree 
indicative of a syntactical structure of the data access attempt, wherein 




;lectively permitting, based on the 
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comparing further comprises computing a hash value from the parse tree, 
and 

comparing the hash value to the hash values of previous access 
attempts : 

means for selectively permitting, based on the comparing, access to the 
protected resource according to the access attempt; and 

means for adding, if the access attempt is permitted, the access attempt 
to the set of allowable access attempts. 

42. (New) A method for behavior based access tracking of an information 
repository comprising: 

capturing a sequence of access attempts; 

establishing a baseline of allowable access attempts from captured 
access attempts and a set of preexisting allowable accesses indicative of rules 
defining allowable behavior; 

intercepting an access attempt to the information repository; 

parsing the access attempt to determine a syntactical arrangement of the 
access attempt; 

building a parse tree to determine a structure of the access attempt by, the 
parse tree indicative of the syntactical arrangement of the access attempt; 

computing a hash value from the parse tree, the parse tree deterministic 
of a query structure of the access attempt such that similar access attempts 
share the query structure; 

comparing the computed hash value of the access attempt to hash values 
computed from the established baseline to determine if the access attempt 
corresponds to a previous allowable access; 

selectively permitting, based on the comparing, access to the information 
repository according to the access attempt; and 
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augmenting the established baseline by selectively adding, based on 
inferential feedback, the access attempt to the set of allowable access attempts 
for invocation with successive access attempts. 

43. (New) The method of claim 42 further comprising comparing the 
determined structure of the access attempt independently of the data values 
implicated in the access attempt, such that the computed hash is unaffected by 
differences in queried data values. 

44. (New) The method of claim 42 wherein augmenting further comprises: 
identifying a sampling window of access attempts, the sampling window 

deterministic of allowable access patterns to the protected resource; 

storing an indication of the access attempts made during the window of 
access attempts; and 

merging the window of access attempts with the current baseline set of 
access attempts, the current baseline deemed deterministic of allowable access 
behavior. 



